Recipe 14.3 Enabling Anonymous LDAP Access

14.3.1 Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled except for querying the RootDSE.

14.3.2 Solution Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value: 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice. Using VBScript
' This code enables or disables anonymous query mode for a forest.
boolEnableAnonQuery = 2  ' e.g. 2 to enable, 0 to disable
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject( _
             "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _
              & objRootDSE.Get("configurationNamingContext") )
strDSH = objDS.Get("dSHeuristics")

for i = len(strDSH) to 6
   strDSH = strDSH & "0"

strNewDSH = Left(strDSH,6) & boolEnableAnonQuery
strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 7 )

WScript.Echo "Old value: " & strDSH
WScript.Echo "New value: " & strNewDSH

if strDSH <> strNewDSH then
   objDS.Put "dSHeuristics", strNewDSH
   WScript.Echo "Successfully set anon query mode to " & boolEnableAnonQuery
   WScript.Echo "Anon query mode already set to " & boolEnableAnonQuery
end if

14.3.3 Discussion

To enable anonymous access, you have to modify the dSHeuristics attribute of the cn=Directory Service,cn=Windows NT,cn=Services,ConfigurationDN object. The dSHeuristics attribute is an interesting attribute used to control certain behavior in Active Directory. For example, you can enable "List Object Mode" (see Recipe 14.15) by setting the dSHeuristics flag.

The dSHeuristics attribute consists of a series of digits that when set enable certain functionality. To enable anonymous access, the seventh bit must be set to 2. By default, dSHeuristics does not have a value. If you set it to enable anonymous access, the value would be the following: 0000002.

After enabling anonymous access, the assumption is you'll want to grant access for anonymous users to retrieve some data from Active Directory. To do that, grant the ANONYMOUS LOGON user access to the parts of the directory you want anonymous users to search. You must grant the access from the root of the directory down to the object of interest. See MS KB 320528 for an example of how to enable the anonymous user to query email addresses of user objects.

14.3.4 See Also

MS KB 320528 (How to Configure Active Directory to Allow Anonymous Queries), and MS KB 326690 (Anonymous LDAP Operations to Active Directory Are Disabled on Windows Server 2003 Domain Controllers)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List